France’s data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.
Google has been hit with a total of €100 million ($120M) for dropping cookies on Google.fr and Amazon €35M (~42M) for doing so on the Amazon .fr domain under the penalty notices issued today.
The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.
In Google’s case the CNIL has found three consent violations related to dropping non-essential cookies.
“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice [which we’ve translated from French].
Amazon was found to have made two violations, per the CNIL penalty notice.
CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.
Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.
In Amazon’s case its French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.
The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time sites that failed to ask for consent to track were risking a big fine under EU privacy laws.
Google and Amazon are now finding that out to their cost, it seems.
We’ve reached out to Amazon and Google for comment on the CNIL’s action.
In Google’s case the CNIL also found that when a user selected to deactivate personalized advertising — via an option that Google’s cookie notice presented them with — the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.
The CNIL’s penalty for Google breaks down into a fine of €60M for Google LLC and €40M for Google Ireland Ltd.
It says the size of the fines is justified because of the seriousness of the triple breach of article 82 of the Data Protection Act.
Other factors involved in determining the size of the fine included the reach of Google’s search engine in France and the fact that its corporate practices affect almost 50M people, as well as the sizeable profits it derives from advertising which are linked to data generated by its tracking cookies.
Per the CNIL’s investigation, Google stopped automatically dropping the ad cookies on the Google.fr domain after an update in September 2020. However it said a new cookie notice that’s presenting to arriving users still does not provide adequate information about what the cookies are used for nor inform users they can refuse these non-essential cookies.
Because of this the CNIL has also hit Google with an injunction — giving it three months to correct the cookie notices so they provide the required information to users or Google is risking further fines of €100,000 per day until the violation stops.
The regulator’s investigation of Google.fr took place in March 2020, while its checks on Amazon.fr took place between mid December, 2019 and mid May, 2020.
Amazon also updated its local site in September 2020 — to stop automatically dropping the tracking cookies.
However the CNIL is similarly unhappy with the information it provides to users, finding it does not clearly explain the tracking cookies nor make it plain users can refuse this ‘personalized’ advertising, so the ecommerce giant has also been issued with an injunction to make good on the consent notices within three months or face further fines of €100,000 per day.
The top-line penalties are some of the largest tech giants have faced in Europe to date related to privacy rules.
The CNIL had previously fined Google $57M, back in 2019 — also for failing transparency requirements, though that case was related to complaints filed under the EU’s General Data Protection Regulation (GDPR).
In this instance (for both Google and Amazon) the CNIL notes cookie consents falls under the ePrivacy Directive, which means the GDPR’s one-stop-shop mechanism does not kick in.
That means the French watchdog has legal competence to investigate, rather than needing to refer concerns to a lead EU DPA where the companies have their regional legal base.
In Google’s case that would be Ireland — and it’s worth noting that Ireland’s DPC still hasn’t issued a single GDPR decision in any of the scores of open cases relayed to big tech (including into various aspects of Google’s business), more than 2.5 years since the GDPR came into application.
So the speed of French investigations and decisions continue to impress. And today’s cookie fines will likely provide more succour to critics of GDPR enforcement.
Although it’s not a like-for-like comparison as they are limited in scope to national investigations, bypassing the administrative complexity attached to GDPR cross-border cases which involve some joint working and ultimate agreement between multiple DPAs.
But if an older directive is shown to be delivering speedy enforcement when the ‘shiny’, newer regulation can’t that does raise some major questions for EU lawmakers who have conceded GDPR enforcement is a weakness.
This story is developing — refresh for updates…
